Handling a composite type request for multivalued attributes

Handling a composite type request for multivalued attributes

Introduction

In this blog post, we will discuss an approach we took to handle composite type requests. The approach uses a custom action workflow activity that stores request details in a simple database. Then, a command line utility will process the records in the database,
and execute appropriate actions. We will discuss this further more in the following sections.

Composite Type Requests

A composite type request is generated when the Synchronization Engine detects that multiple transactions should be propagated to the FIM Service. Therefore, it aggregates those requests together into one composite request.

This feature was added for the first time in the latest version of FIM, FIM 2010 R2, to speed up the export operation between the Synchronization Engine and the FIM Service and database.

What is special about these composite requests? and why do they need special attention?

Based on FIM 2010 R2 release notes: "A new resource type CompositeType has been introduced for A Request issued by the Build-in Synchronization Account. It may interfere with any custom Action
workflows that parse request targets. To find the actual targets you will need to modify these workflows to parse the Request Parameters of a
CompositeType."

In our implementation, we were trying to execute action activities that target the members added to and/or removed from groups such as:

Update few of their attributes

Run a powershell script to enable Lync accounts or create an Exchange mailbox

Send email notification to group/application owners

The challenge

We went ahead and developed those custom workflow activities. During testing, and when the Synchronization Engine runs, it submits a composite type request that contains a fully detailed request parameters for the entire individual requests that were aggregated.
The request parameter will look something like this:

Since we were unable to resolve [//Delta/ExplicitMember/Added] or [//Delta/ExplicitMember/Removed] from the request parameters, we were unable to pass any GUID to the readResourceActivity, and we were unable to execute any actions correctly.

Suggested Solutions

To solve this problem, we could have modified the MIISServer.exe.config under "C:\Program Files\Microsoft Forefront Identity Manager\2010\Synchronization
Service\Bin" by changing the aggregate property to false under resourceSynchronizationClient. This will not aggregate the request all
together, and will submit individual requests to FIM Service.

The other approach is discussed below:

In order not to compromise the speed of data flow between the Synchronization engine and the FIM Service, we kept the aggregate value set to true and took another approach in dealing with this issue.

We created a new custom action workflow activity that is triggered whenever the Synchronization Engine tries to add or remove a member from a group in the FIM Service. This new activity will be executed on the System Event Requests that we mentioned earlier.

In this newly created custom activity, read the request parameters of the parent request of this System Event Request.

After the data is dumped in the database, a scheduled task will extract distinct rows and execute desired actions depending on which group the user is being added to or removed from using the FIM Default Client.

The following image depicts the flow of data

First Approach VS Second Approach:

It is obvious that the first approach is easier and would consume significantly less time to implement, which makes it more rational if you have custom action activities already implemented in you system.

However, if you want to boost up your system or you are implementing FIM for the first time in your organization, we recommend that you keep the aggregate feature set to true and try to use this approach.